Is there a way to catch hold of who is using the login credentials of a web service account?

Suggy · ‎11-16-2022

We have integrated ServiceNow instance 'A' with another ServiceNow instance 'B' for Incident sync using Basic Authentication (locally created account in ServiceNow)

Issue is - Some times the web service call fails from instance 'B' to instance 'A'. When we checked the logs, we could see several log entries saying 'Invalid username/password' foe the above account.

So looks like someone is purposely trying to use login using wrong credentials and the account is getting locked out.

Is there a way to check WHO tried to login using the web service credentials?

NOTE - I could see an login attempt entry in 'syslog_transaction' for above web service account. But WHO is that is not shown.

vikrantsharma · ‎11-17-2022

Hi Suggy,

If you are using a Service Account, you can only tell if that Service account was able to login success fully or not.

ServiceNow cannot tell you who triggered that transaction as the transaction uses the access of a Service Account you created in ServiceNow and used that account for that transaction. You might want to check the logs on the Web application then on ServiceNow, it might be able to tell you which user logged in an clicked on a button or something that triggered that transaction.

Hope this makes sense, and I was able to understand your query?

Please make it correct or helpful if this solves or help you with your issue for other to make use it.

Thanks & Regards,
Vikrant Sharma

Suggy · ‎11-17-2022

Hi @vikrantsharma I have updated my question now. Can you check now please? Thnx

Mike_R · ‎11-17-2022

There's a field in the syslog_transaction table called IP Address. Would that provide any useful info?

Mike
* My Collection of ServiceNow Stuff *

Suggy · ‎11-21-2022

No Mike